Hi,
sorry for a delay...
On Tue, Mar 04, 2008 at 02:51:41PM -0500, Christopher J. PeBenito wrote:
> On Wed, 2008-02-20 at 18:03 +0100, Václav Ovsík wrote:
> > I'm running HEAD refpolicy on Debian Sid, but this patch is not
> > Debian-specific this time.
> > Having a copy of my std bash profile on the testing machine with
> > a snippet (from gpg-agent man page):
> >
> > if test -f $HOME/.gpg-agent-info \
> > && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info`
> > 2>/dev/null
> > then
> > . $HOME/.gpg-agent-info
> > export GPG_AGENT_INFO
> > export SSH_AUTH_SOCK
> > export SSH_AGENT_PID
> > else
> > eval `gpg-agent --daemon --write-env-file`
> > fi
> >
> > I got a number of denials for this snippet of commands.
> >
> > 1. Found a typo for permissions to create socket in the /tmp.
> > 2. Added permission to send signal 0 by the user (see above).
> > 3. Added permissions for writing agent info file into users home
> > directory.
>
>
> >
> > Index: policy/modules/apps/gpg.if
> > ===================================================================
> > --- policy/modules/apps/gpg.if (revision 2617)
> > +++ policy/modules/apps/gpg.if (working copy)
> > @@ -212,6 +212,12 @@
> > manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
> > manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
> >
> > + # write ~/.gpg-agent-info (gpg-agent --write-env-file option)
> > + allow $1_gpg_agent_t { $1_home_dir_t $1_home_t }:dir add_entry_dir_perms;
> > + type_transition $1_gpg_agent_t $1_home_dir_t:file $1_home_t;
> > + allow $1_gpg_agent_t $1_home_t:file create_file_perms;
> > + allow $1_gpg_agent_t $1_home_t:file write_file_perms;
>
> I'm a little hesitant to add this unconditionally, I don't think we want
> gpg-agent to write out to general home dir content. Perhaps we should
> have a tunable, or a specific type for this.
I added this rules, so an example from gpg-agent manpage can work
out-of-the-box. Adding a tunable (with the default to disallow) will not
satisfy this. Maybe the later - specific type, but what security risk
poses this rules?
I thought, that domain X_gpg_agent_t is very trusted domain, that
manages my secret keys and should be shielded against the world around
and not the opposite.
> > # allow gpg to connect to the gpg agent
> > stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
> >
> > @@ -219,11 +225,11 @@
> > ps_process_pattern($2,$1_gpg_agent_t)
> >
> > # Allow the user shell to signal the gpg-agent program.
> > - allow $2 $1_gpg_agent_t:process { signal sigkill };
> > + allow $2 $1_gpg_agent_t:process { signal sigkill signull };
> >
> > - manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
> > - manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
> > - manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
> > + manage_dirs_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
> > + manage_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
> > + manage_sock_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
> > files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
>
> This isn't a typo, the user domain should still be able to manage
> gpg-agent's tmp files.
Yes, you are right. I looked at ssh-agent rules just and considered it
more or less equivalent to gpg-agent. Gpg-agent should do clean-up of
its socket, but maybe some crash.
Ok, what about ssh-agent? Shoul be these rules for userdomain added for
it too?
zito@sid:/tmp$ rm -rf ssh-*
audit(1206101398.028:16): avc: denied { write } for pid=2155 comm="rm" name="ssh-IgYHrr2122" dev=sda1 ino=49168 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=dir
audit(1206101398.028:17): avc: denied { remove_name } for pid=2155 comm="rm" name="agent.2122" dev=sda1 ino=49169 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=dir
audit(1206101398.028:18): avc: denied { unlink } for pid=2155 comm="rm" name="agent.2122" dev=sda1 ino=49169 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=sock_file
audit(1206101398.028:19): avc: denied { rmdir } for pid=2155 comm="rm" name="ssh-IgYHrr2122" dev=sda1 ino=49168 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:sshd_tmp_t:s0 tclass=dir
Thanks for suggestions.
Regards
--
Zito
Index: policy/modules/apps/gpg.if
===================================================================
--- policy/modules/apps/gpg.if.orig 2008-03-20 12:00:48.000000000 +0100
+++ policy/modules/apps/gpg.if 2008-03-21 13:18:29.000000000 +0100
@@ -212,6 +212,12 @@
manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
+ # write ~/.gpg-agent-info (gpg-agent --write-env-file option)
+ allow $1_gpg_agent_t { $1_home_dir_t $1_home_t }:dir add_entry_dir_perms;
+ type_transition $1_gpg_agent_t $1_home_dir_t:file $1_home_t;
+ allow $1_gpg_agent_t $1_home_t:file create_file_perms;
+ allow $1_gpg_agent_t $1_home_t:file write_file_perms;
+
# allow gpg to connect to the gpg agent
stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
@@ -219,11 +225,18 @@
ps_process_pattern($2,$1_gpg_agent_t)
# Allow the user shell to signal the gpg-agent program.
- allow $2 $1_gpg_agent_t:process { signal sigkill };
+ allow $2 $1_gpg_agent_t:process { signal sigkill signull };
+ # Allow the user to manage gpg-agent tmp files (socket)
manage_dirs_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
manage_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
manage_sock_files_pattern($2,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+
+ # Allow the gpg-agent to manage its tmp files (socket)
+ manage_dirs_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+ manage_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+ manage_sock_files_pattern($1_gpg_agent_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t)
+
files_tmp_filetrans($1_gpg_agent_t, $1_gpg_agent_tmp_t, { file sock_file dir })
# Transition from the user domain to the derived domain.
